OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of s0nic »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - s0nic

Pages: [1]
1
21.7 Legacy Series / Indicator of compromise? Abnormal DNS requests...
« on: August 31, 2021, 09:57:22 pm »
I have enabled the DNS logging in unbound and I see requests that I would normaly assign to an IOC:

2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 noikwpgdnmdoz.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN

Notes
  • No client has requested these addresses.
  • 10.10.10.254 = OpnSense LAN Interface
  • kaki = local domain (intranet) eg. server01.kaki
  • Only OpenVPN is offered via the WAN interface. No other ports have been opened on the WAN interface so far.
  • Only the following packages differ from the default installation:
     - os-etpro-telemetry (installed)
     - os-sensei (installed)
     - os-sunnyvalley (installed)


I've some questions:
  • Why does OpnSense use its LAN address for internal / its own DNS queries?
    ---> I also see other requests from OpnSense with 127.0.0.1, so why is it using 10.10.10.254?
  • What damn package or function is trying to resolve these domains here?
  • If it is a client, he must have spoofed the firewall LAN IP... but then... why does he ask for the domains without TLD?

2
21.7 Legacy Series / Monit GUI is faulty (ignore content)
« on: August 05, 2021, 08:37:57 pm »
"ignore content" cannot be configured in the monit GUI of opnSense. I had to configure it manually in /usr/local/etc/monitrc and restart the service to get it to work....

check file NAS_Access with path "/var/log/suricata/eve.json"
   ignore content = "10.0.1.254"
   if content = "alert" then alert

---> https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2